Definition
Security Question
A security question is a knowledge-based authentication mechanism used by some websites to allow users to reset an account password. The user answers one or more personal questions when creating the account and must reproduce the same answers later to regain access.
Vulnerabilities
Easy to Discover
Answers can often be found by strangers through social engineering or by checking public social networks.
Sarah Palin attacker correctly guessed the answer to her security question — "Where did you meet your partner?" — from publicly available information.
Sarah Palin’s Yahoo email account was compromised in 2008 after an
Recommendation
Deactivation
If possible, this mechanism should be deactivated. Modern systems should rely on stronger recovery methods such as email-based reset links with time-limited tokens or multi-factor authentication.